Release notes
*Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).*
> ## 2.4.0 / 2019-11-25
>
> ### Features
>
> * Allow CSS property `max-width` [#175](https://github-redirect.dependabot.com/flavorjones/loofah/issues/175) (Thanks, [@bchaney](https://github.com/bchaney)!)
> * Allow CSS sizes expressed in `rem` [#176, [#177](https://github-redirect.dependabot.com/flavorjones/loofah/issues/177)]
> * Add `frozen_string_literal: true` magic comment to all `lib` files. [#118](https://github-redirect.dependabot.com/flavorjones/loofah/issues/118)
>
> ## 2.3.1 / 2019-10-22
>
> ### Security
>
> Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
>
> This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171)
>
> ## 2.3.0 / 2019-09-28
>
> ### Features
>
> * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)]
> * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)]
> * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@danfstucky](https://github.com/danfstucky)!)
> * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@jaredbeck](https://github.com/jaredbeck)!)
> * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!)
> * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@andreynering](https://github.com/andreynering)!)
>
>
> ### Bug fixes
>
> * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@asok](https://github.com/asok)!)
>
>
> ### Deprecations / Name Changes
>
> The following method and constants are hereby deprecated, and will be completely removed in a future release:
>
> * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead.
> * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
> * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
>
> Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive.
>
>
Changelog
*Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).*
> ## 2.4.0 / 2019-11-25
>
> ### Features
>
> * Allow CSS property `max-width` [#175](https://github-redirect.dependabot.com/flavorjones/loofah/issues/175) (Thanks, [@bchaney](https://github.com/bchaney)!)
> * Allow CSS sizes expressed in `rem` [#176, [#177](https://github-redirect.dependabot.com/flavorjones/loofah/issues/177)]
> * Add `frozen_string_literal: true` magic comment to all `lib` files. [#118](https://github-redirect.dependabot.com/flavorjones/loofah/issues/118)
>
>
> ## 2.3.1 / 2019-10-22
>
> ### Security
>
> Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
>
> This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171)
>
>
> ## 2.3.0 / 2019-09-28
>
> ### Features
>
> * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)]
> * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)]
> * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@danfstucky](https://github.com/danfstucky)!)
> * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@jaredbeck](https://github.com/jaredbeck)!)
> * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!)
> * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@andreynering](https://github.com/andreynering)!)
>
>
> ### Bug fixes
>
> * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@asok](https://github.com/asok)!)
>
>
> ### Deprecations / Name Changes
>
> The following method and constants are hereby deprecated, and will be completely removed in a future release:
>
> * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead.
> * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead.
> * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead.
>
> Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive.
Commits
- [`724ac1c`](https://github.com/flavorjones/loofah/commit/724ac1c9d689e1fdce9542816909a12632cf410f) version bump to v2.4.0
- [`e808fb6`](https://github.com/flavorjones/loofah/commit/e808fb67a3b4778dd58030bdfffccfac6019fa47) ci: don't turn on frozen strings until after bundle install
- [`0eb9976`](https://github.com/flavorjones/loofah/commit/0eb99761d1d86309f403a767d6254c05e1bea42b) update CHANGELOG
- [`0783f5b`](https://github.com/flavorjones/loofah/commit/0783f5b1b102046cc8dae23634e8ab27227a9def) add magic comment for frozen string literals to all files
- [`5ce3a71`](https://github.com/flavorjones/loofah/commit/5ce3a7175974bf88f338cdae518234bc1abae224) add rubocop as dev dep and configure security and frozen string cops
- [`82ae384`](https://github.com/flavorjones/loofah/commit/82ae384998ea1769371233dd2181de644284fc42) test suite should check compatibility with frozen string literals
- [`8747065`](https://github.com/flavorjones/loofah/commit/8747065613a0b1faf48681bf431efae8430801a2) Merge pull request [#175](https://github-redirect.dependabot.com/flavorjones/loofah/issues/175) from bchaney/allow-css-max-width
- [`2767ae3`](https://github.com/flavorjones/loofah/commit/2767ae3be611a40c8c4c01c92188343a91eb8bfc) Merge pull request [#177](https://github-redirect.dependabot.com/flavorjones/loofah/issues/177) from flavorjones/176-allow-rem-css-sizes
- [`13f734f`](https://github.com/flavorjones/loofah/commit/13f734ff46642c6d0b1cf784eb138f6ab66e05b7) css sanitizer allows "rem" sizes
- [`2699b61`](https://github.com/flavorjones/loofah/commit/2699b61a50e67adacabd1fc0990e8bfa69f63d1a) Allow CSS property: max-width
- Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.2.3...v2.4.0)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/fengb/nvst/network/alerts).
Bumps loofah from 2.2.3 to 2.4.0.
Release notes
*Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).* > ## 2.4.0 / 2019-11-25 > > ### Features > > * Allow CSS property `max-width` [#175](https://github-redirect.dependabot.com/flavorjones/loofah/issues/175) (Thanks, [@bchaney](https://github.com/bchaney)!) > * Allow CSS sizes expressed in `rem` [#176, [#177](https://github-redirect.dependabot.com/flavorjones/loofah/issues/177)] > * Add `frozen_string_literal: true` magic comment to all `lib` files. [#118](https://github-redirect.dependabot.com/flavorjones/loofah/issues/118) > > ## 2.3.1 / 2019-10-22 > > ### Security > > Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171) > > ## 2.3.0 / 2019-09-28 > > ### Features > > * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)] > * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)] > * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@danfstucky](https://github.com/danfstucky)!) > * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@jaredbeck](https://github.com/jaredbeck)!) > * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!) > * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@andreynering](https://github.com/andreynering)!) > > > ### Bug fixes > > * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@asok](https://github.com/asok)!) > > > ### Deprecations / Name Changes > > The following method and constants are hereby deprecated, and will be completely removed in a future release: > > * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. > * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. > * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. > > Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive. > >Changelog
*Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).* > ## 2.4.0 / 2019-11-25 > > ### Features > > * Allow CSS property `max-width` [#175](https://github-redirect.dependabot.com/flavorjones/loofah/issues/175) (Thanks, [@bchaney](https://github.com/bchaney)!) > * Allow CSS sizes expressed in `rem` [#176, [#177](https://github-redirect.dependabot.com/flavorjones/loofah/issues/177)] > * Add `frozen_string_literal: true` magic comment to all `lib` files. [#118](https://github-redirect.dependabot.com/flavorjones/loofah/issues/118) > > > ## 2.3.1 / 2019-10-22 > > ### Security > > Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171) > > > ## 2.3.0 / 2019-09-28 > > ### Features > > * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)] > * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)] > * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@danfstucky](https://github.com/danfstucky)!) > * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@jaredbeck](https://github.com/jaredbeck)!) > * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@georgeclaghorn](https://github.com/georgeclaghorn)!) > * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@andreynering](https://github.com/andreynering)!) > > > ### Bug fixes > > * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@asok](https://github.com/asok)!) > > > ### Deprecations / Name Changes > > The following method and constants are hereby deprecated, and will be completely removed in a future release: > > * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. > * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. > * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. > > Thanks to [@JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive.Commits
- [`724ac1c`](https://github.com/flavorjones/loofah/commit/724ac1c9d689e1fdce9542816909a12632cf410f) version bump to v2.4.0 - [`e808fb6`](https://github.com/flavorjones/loofah/commit/e808fb67a3b4778dd58030bdfffccfac6019fa47) ci: don't turn on frozen strings until after bundle install - [`0eb9976`](https://github.com/flavorjones/loofah/commit/0eb99761d1d86309f403a767d6254c05e1bea42b) update CHANGELOG - [`0783f5b`](https://github.com/flavorjones/loofah/commit/0783f5b1b102046cc8dae23634e8ab27227a9def) add magic comment for frozen string literals to all files - [`5ce3a71`](https://github.com/flavorjones/loofah/commit/5ce3a7175974bf88f338cdae518234bc1abae224) add rubocop as dev dep and configure security and frozen string cops - [`82ae384`](https://github.com/flavorjones/loofah/commit/82ae384998ea1769371233dd2181de644284fc42) test suite should check compatibility with frozen string literals - [`8747065`](https://github.com/flavorjones/loofah/commit/8747065613a0b1faf48681bf431efae8430801a2) Merge pull request [#175](https://github-redirect.dependabot.com/flavorjones/loofah/issues/175) from bchaney/allow-css-max-width - [`2767ae3`](https://github.com/flavorjones/loofah/commit/2767ae3be611a40c8c4c01c92188343a91eb8bfc) Merge pull request [#177](https://github-redirect.dependabot.com/flavorjones/loofah/issues/177) from flavorjones/176-allow-rem-css-sizes - [`13f734f`](https://github.com/flavorjones/loofah/commit/13f734ff46642c6d0b1cf784eb138f6ab66e05b7) css sanitizer allows "rem" sizes - [`2699b61`](https://github.com/flavorjones/loofah/commit/2699b61a50e67adacabd1fc0990e8bfa69f63d1a) Allow CSS property: max-width - Additional commits viewable in [compare view](https://github.com/flavorjones/loofah/compare/v2.2.3...v2.4.0)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/fengb/nvst/network/alerts).